Slashdot Mirror

← Back to Stories (view on slashdot.org)

KeyStore Vulnerability Affects 86% of Android Devices

Posted by timothy on from the that's-a-lot dept.

jones_supa (887896) writes "IBM security researchers have published an advisory about an Android vulnerability that may allow attackers to obtain highly sensitive credentials, such as cryptographic keys for some banking services and virtual private networks, and PINs or patterns used to unlock vulnerable devices. It is estimated that the flaw affects 86 percent of Android devices. Android KeyStore has a little bug where the encode_key() routine that is called by encode_key_for_uid() can overflow the filename text buffer, because bounds checking is absent. The advisory says that Google has patched only version 4.4 of Android. There are several technical hurdles an attacker must overcome to successfully perform a stack overflow on Android, as these systems are fortified with modern NX and ASLR protections. The vulnerability is still considered to be serious, as it resides in one of the most sensitive resources of the operating system."

3 of 71 comments (clear)

  1. Finally by Anonymous Coward · · Score: 5, Funny

    Something new that's compatible with most people's version of Android.

  2. Re:No bounds checking? by ArcadeMan · · Score: 5, Funny

    Android: our security knows no bounds!

    --
    Get free satoshi (Bitcoin) and Dogecoins
  3. Re:Serious? by TheGratefulNet · · Score: 5, Interesting

    no, by google, the code OWNER, for much of the code base.

    old 2.x android which still works for audio phone and email and simple web (which is 99% of what many users want, actually). but has no security patches from google since the last OTA update was at least 3 yrs ago, maybe more.

    google abandons things. it may not be pleasant for fanboys to admit, but its a fact and its part of why I have so much anger toward google. they are not serious. not by my definition. 5 yr old hardware that needs security SHOULD get security updates. even 10 yrs. again, this is the money and power and brain-rich google we're talking about. they do NOT get a pass on being bad about backporting security. a 10 or 100 man company, sure. but google gets no free pass on abandoning their own phones (my case, the N1). total complete abandonment. even the gmail app BY google refuses to work properly on the N1, now. it does not auto poll and show newmail indications. you have to manually poll. a google app on a google phone that is broken. this is why I hate them.

    --

    --
    "It is now safe to switch off your computer."